diff options
| -rw-r--r-- | main/unbound/APKBUILD | 9 | ||||
| -rw-r--r-- | main/unbound/CVE-2019-16866.patch | 26 |
2 files changed, 33 insertions, 2 deletions
diff --git a/main/unbound/APKBUILD b/main/unbound/APKBUILD index 3b0f1f960d..c92f09b4a8 100644 --- a/main/unbound/APKBUILD +++ b/main/unbound/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=unbound pkgver=1.7.3 -pkgrel=0 +pkgrel=1 pkgdesc="Unbound is a validating, recursive, and caching DNS resolver" url="http://unbound.net/" arch="all" @@ -20,6 +20,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-dbg py-unbound:py source="http://unbound.net/downloads/$pkgname-$pkgver.tar.gz conf.patch update-unbound-root-hints + CVE-2019-16866.patch migrate-dnscache-to-unbound root.hints $pkgname.initd @@ -27,6 +28,10 @@ source="http://unbound.net/downloads/$pkgname-$pkgver.tar.gz " builddir="$srcdir/$pkgname-$pkgver" +# secfixes +# 1.7.3-r1: +# - CVE-2019-16866 + build() { cd "$builddir" @@ -98,10 +103,10 @@ migrate() { install -m755 -D "$srcdir"/migrate-dnscache-to-unbound \ "$subpkgdir"/usr/bin/migrate-dnscache-to-unbound } - sha512sums="34b2e93660e519b2eccefef26a6c7ac09fa3312384cc3bc449ff2b10743bd86bfeb36ec19d35eb913f8d0a3d91ad7923260a66fc799f28b0a2cc06741d80f27a unbound-1.7.3.tar.gz bd51769e3e2d6035df1abbf220038a56a69795a092b5f31005e1910c6c88e334d7e71fe16d874885ef74c597f3a1d7af50f9ad9736ba7ebb10ae50178828661c conf.patch b16b7b15392c0d560718ee543f1eebc5617085fb30d61cddc20dd948bd8b1634ee5b2de1c9cb172a6c0d1c5bbaf98b6fd39816d39c72a43ff619455449e668ac update-unbound-root-hints +da578f620bc1abca4a53bb3448c023c59ccd33c0d560603ab5e6caf7eebd8e4d8a2401f2e4ebbcf1124f168699be02a489ae27d7b723f9b67678592ecea30529 CVE-2019-16866.patch b26a13c1c88da9611a65705dc59f7233c5e0f6aced0d7d66c18536a969a2de627ca5d4bb55eedd81f2f040fa11bde48eaaeca2850f376e72e7a531678a259131 migrate-dnscache-to-unbound 0dca3470ed4ca9b76d6f47f5d20e92924e6648f0870d8594fe6735d8f1cdfeeee7296301066c2a8b2b94f7daed86c15efe00c301ca27e435e5dd2c85508dc9c8 root.hints d8392a6d238b46fd207d57eb2d23d0806d070c203ae196a6c2a6a4f7de4c95beecee86640649ff7dcc1cec3d3edcd313e8d91bff4188bdc1133b12fe6eff554e unbound.initd diff --git a/main/unbound/CVE-2019-16866.patch b/main/unbound/CVE-2019-16866.patch new file mode 100644 index 0000000000..63ebf61005 --- /dev/null +++ b/main/unbound/CVE-2019-16866.patch @@ -0,0 +1,26 @@ +diff --git a/util/data/msgparse.c b/util/data/msgparse.c +index 13cad8a..fb31237 100644 +--- a/util/data/msgparse.c ++++ b/util/data/msgparse.c +@@ -1061,18 +1061,18 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns, + size_t rdata_len; + uint8_t* rdata_ptr; + log_assert(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) == 1); ++ memset(edns, 0, sizeof(*edns)); + if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0 || + LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) { + if(!skip_pkt_rrs(pkt, ((int)LDNS_ANCOUNT(sldns_buffer_begin(pkt)))+ + ((int)LDNS_NSCOUNT(sldns_buffer_begin(pkt))))) +- return 0; ++ return LDNS_RCODE_FORMERR; + } + /* check edns section is present */ + if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) { + return LDNS_RCODE_FORMERR; + } + if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) == 0) { +- memset(edns, 0, sizeof(*edns)); + edns->udp_size = 512; + return 0; + } + |